In a typical cellular radio system, wireless terminals (also known as mobile stations and/or user equipment units (UEs)) communicate via a radio access network (RAN) to one or more core networks. The wireless terminals can be mobile stations or user equipment units (UE) such as mobile telephones (“cellular” telephones) and laptops with wireless capability), e.g., mobile termination), and thus can be, for example, portable, pocket, hand-held, computer-included, or car-mounted mobile devices which communicate voice and/or data with radio access network.
The radio access network (RAN) covers a geographical area which is typically divided into cell areas, with each cell area being served by a base station, e.g., a radio base station (RBS), which in some networks is also called “BS” in WiMAX, “AP” in WLAN, and also known as “NodeB” or “B node” in 3rd generation mobile networks. A cell is a geographical area where radio coverage is provided by the radio base station equipment at a base station site. Each cell and/or base station is identified by an identity within the local radio area, which is broadcast in the cell. The base stations communicate over the air interface operating on radio frequencies with the user equipment units (UE) within range of the base stations.
In some versions (particularly earlier versions) of the radio access network, several base stations are typically connected (e.g., by landlines or microwave) to a radio network controller (RNC). The radio network controller, also sometimes termed a base station controller (BSC), supervises and coordinates various activities of the plural base stations connected thereto. The radio network controllers are typically connected to one or more core networks. The base stations may also have means for enabling the hand over of wireless terminals between base stations, either assisted by the core network, or using direct base station interconnections.
The Universal Mobile Telecommunications System (UMTS) is a third generation mobile communication system, which evolved from the Global System for Mobile Communications (GSM), and is intended to provide improved mobile communication services based on Wideband Code Division Multiple Access (WCDMA) access technology. UTRAN is essentially a radio access network using wideband code division multiple access for user equipment units (UEs). The Third Generation Partnership Project (3GPP) has undertaken to evolve further the UTRAN and GSM based radio access network technologies.
Specifications for the Evolved Universal Terrestrial Radio Access Network (E-UTRAN) are ongoing within the 3rd Generation Partnership Project (3GPP). The Evolved Universal Terrestrial Radio Access Network (E-UTRAN) comprises the Long Term Evolution (LTE) and is part of the System Architecture Evolution (SAE).
Long Term Evolution (LTE) is a variant of a 3GPP radio access technology wherein the radio base station nodes are connected directly to a core network rather than to radio network controller (RNC) nodes. In general, in LTE the functions of a radio network controller (RNC) node are performed by the radio base stations nodes. As such, the radio access network (RAN) of an LTE system has an essentially “flat ” architecture comprising radio base station nodes without reporting to radio network controller (RNC) nodes. Thus, the evolved UTRAN (E-UTRAN) comprises evolved base station nodes, e.g., evolved NodeBs or eNBs, providing evolved UTRAN user-plane and radio resource control-plane protocol terminations toward the wireless terminal.
WiMAX, the Worldwide Interoperability for Microwave Access, is a telecommunications technology that provides for the wireless transmission of data in a variety of ways, ranging from point-to-point links to full mobile cellular-type access. The technology provides the users with an idea of enjoying the broadband speed without the actual requirement of any wires or bulky network structures. The technology is based on the IEEE 802.16 standard (also called WirelessMAN). The name “WiMAX” was created by the WiMAX Forum.
When a node such as a wireless terminal attaches to a network, there is often performed a security handshake containing authentication and configuring the use of encryption on the radio interface etc. To this end, the wireless terminal must notify the network which security capabilities (e.g. security algorithms and protocols) it supports so that the network can make a suitable choice. However, this notification can be vulnerable for so called bidding-down attacks, as described below.
Suppose, for example, that the wireless terminal supports authentication algorithm S (“secure”) and authentication algorithm L (“less secure”). Suppose further that a malicious party intervenes and changes the wireless terminal's capability signaling from the set of authentication algorithms {S, L} to the set {L}, as depicted in FIG. 1. The network will believe the wireless terminal (UE) only supports authentication algorithm L (“less secure”), and therefore the network will be forced to choose the less secure L. This means that the security obtained for the wireless terminal will be less that it could have been. Even worse, if the system allows terminals without any security capabilities, the attacker could forward an empty set of authentication algorithms, e.g., { }, meaning that the wireless terminal supports no security at all. Consequently there is a need to protect the message containing the wireless terminal's security related (and possibly other) capabilities.
The usual or natural approach to security threats is to integrity protect the notification message that advises the network of the security capabilities of the wireless terminal. However, since the notification message normally must take place before the authentication, no cryptographic keys are usually available for this purpose since the keys are created after (or simultaneously with) the authentication. Using public key technology would be an option, but suffers from poor efficiency and lack of public key infrastructure (PKI) support in most wireless standards.
A solution for WIMAX is to move the capability signaling (SBC capability) until after the authentication step.
The earlier IEEE 802.16 standards used the Privacy and Key Management (PKM) protocol which had many critical drawbacks. IEEE 802.16e includes a new version of the Privacy and Key Management (PKM) protocol released as PKMv2. PKMv2 has radical changes and in contrast with the previous version, including security features like nonces, message authentication codes, key ids, certificates, etc. Thus, PKMV2 in WIMAX carries some security capability in the PKM request message. These capabilities are security related and also might be related to the authentication capabilities, and such capabilities needs to be protected as well.
Another common technique (used in e.g. 3GPP UMTS and LTE) is depicted in FIG. 2. FIG. 2 particularly shows a wireless terminal performing parts of the network attach procedure. It is assumed that basic radio connection establishment (not shown) has already occurred. The technique comprises the following steps:
Step 2-1: The wireless terminal (UE) sends its security capabilities to the network (VPLMN). Security capabilities here refer to encryption algorithm, etc. that will be used after (successful) authentication.
Step 2-2: The network (VPLMN) fetches authentication data from an authentication, authorization, and accounting (AAA) server or portion of HPLMN. In UMTS, the AAA server is known as the Home Subscriber Server (HSS).
Step 2-3: Authentication by means of a challenge-response procedure (explained in more detail below) is performed and a key, k, is produced.
Step 2-4: The VPLMN “echoes” the security capabilities received from the wireless terminal (UE) in the message of Step 2-1, but now integrity protected (authenticated) by the key k.
Step 2-5: The wireless terminal (UE), using the same key k, verifies the integrity and checks that the capabilities are the same as it sent in message 1.
The technique exemplified by FIG. 2 solves an aforementioned problem with regards to security capabilities, but still has the unpleasant property that a faked capability message is only detected after the authentication and enabling of security functions. Moreover, the security capabilities are only reliably protected if the authentication procedure is performed in a secure manner, since otherwise the key, k, may be known to other parties, enabling forgery of the message in Step 2-4.
Challenge-response protocols forming part of the procedure of FIG. 2 exist in the prior art and are used for authentication (e.g. GSM/UMTS Authentication and Key Agreement, AKA, Extensible Authentication Protocol, EAP, Digest-authentication, etc.). In such protocols the wireless terminal and the AAA server are assumed to have a pre-shared key (or password), K. Basic aspects of such challenge-response protocols are depicted by the example steps listed below.
(1) The AAA server chooses a random value, RAND.
(2) The AAA server computes an expected response, XRES=F(K, RAND), where F is an agreed cryptographic function (F could depend also on other parameters than RAND). Other parameters, e.g. keys, may also be computed based on RAND and K.
(3) The AAA server sends RAND to the wireless terminal.
(4) The wireless terminal computes a response, RES=F(K, RAND), and sends it back (to the AAA server or some authenticator node in the access network).
(5) The AAA server/authenticator checks if RES=XRES, and if so considers the wireless terminal authenticated.
In such challenge-response protocols, Step (2) by necessity has to be performed after step (1) and before step (5) but may optionally be performed after step (3) and step (4). This poses limitations on the set of possible authentication procedures.
In general, systems such as UMTS or LTE protect the security capabilities, but do not protect the authentication capabilities. It is likely that such systems in the near future may support a plurality of authentication capabilities, and hence the lack of protection of the authentication capabilities creates both a basic threat against the authentication procedures, as well as a “domino effect” since the security capabilities may become threatened as a side effect. The reason that the authentication capabilities are not protected is partly due to the inherent “chicken-and-egg” problem associated with any straight-forward approach attempting to provide such protection.
Moreover, the security related capabilities in the prior art arrangements mentioned above (e.g. UMTS) are only protected between a visited public land mobile network (VPLMN) and the wireless terminal. This is means that a strong trust in the VPLMN is needed since otherwise the VPLMN could still “fake” the wireless terminal capabilities forwarded from the wireless terminal. In particular, the authentication capabilities may sometimes be an “end-to-end” issue between wireless terminal and authentication and accounting (AAA) function/server and should likewise be end-to-end protected.